Anti-virus vendors released pattern updates today to recognized a new variant of the Sober worm. Sober uses its own SMTP engine to spread via email attachments. Secunia has a page that links to anti-virus vendors' descriptions of this specimen. Take a look at this page if you need technical information regarding the latest Sober variant. Also, please be sure to keep your anti-virus signatures up to date.

Steve Friedl pointed us to the BroadbandReports discussion that documents a series of web server compromises that deliver spy/adware to victims that visit compromised sites. The victims are running a vulnerable browser. The information is still preliminary, but there are indications that the attackers are using an IFRAME vulnerability in Internet Explorer to deliver the payload. The web servers hosting the malicious code seem to be running Apache.

We don't have much information regarding this attack pattern to determine its scope. We'd love to hear from you if you can share with us logs, malware samples, or observations relevant to this incident. If server compromises are wide-spread, this incident is reminiscent of attacks on Web servers that distributed the Download.Ject trojan in June.

One of the popular uses for stolen ISP information is sending out more phishing spam. The attackers use the stolen accounts to send spam until MSN, AOL, Earthlink, or another service provider disables the account for policy violations. The attacker then moves to the next account stolen via an earlier phishing scam.

Today we received reports of phishing scams that targeted customers of SunTrust and Comcast customers. In one case, which was quite typical, the attackers used a compromised website to collect stolen information. The owners of the site were unaware of the problem, just like many owners of sites used to proxy spam messages, or the owners of accounts from which the spam was sent. The number of unsuspecting victims, involuntarily acting as phishing collaborators, can be surprisingly large.

No Honor Among Thieves (Part II)

We received a message from Don Parker, as a follow-up to yesterday's mention of the backdoor built into the fake Half-Life 2 exploit. Don described a post to a discussion forum ( http://www.security-forums.com ) that claimed to offer a zero-day exploit for the MS04-029 vulnerability. The exploit claimed to offer the attacker a remote shell; however, MS04-029 focused on denial of service and information disclosure. Moreover, the supposed exploit included shellcode, but lacked NOP instructions typically present in buffer-overflow attacks. Dan's analysis confirmed that the posted "exploit" actually provided the code's author an IRC-based backdoor to the hopeful attacker's system.

The practice of building backdoors into attack tools is quite wide-spread, particularly in malicious programs that don't come with source code, or with exploits that have hard-to-understand shellcode and come from obscure sources. Please use extreme caution when testing such tools on your systems.